One further point - this is also a very poor tool, in that it can cause immense collateral damage. If there's some malware on a subdomain, for example on http://blog.example.com/ to make one up, (i.e. perhaps one has WordPress installed, and it gets hacked), instead of contacting the host to fix the issue on the single subdomain, VeriSign would shut the entire domain name off. This would affect www.example.com, and all other services (e.g. email). For sites with many subdomains (e.g. LiveJournal, WordPress) or services, you can see where the collateral damage from this "blunt" tool can wreak havoc. A more targeted tool that escalates the response would be a far better approach. Sincerely, George Kirikos http://www.leap.com/ ----- Original Message ----- From: George Kirikos <gkirikos@yahoo.com> To: "registryservice@icann.org" <registryservice@icann.org> Cc: Sent: Tuesday, October 11, 2011 12:15 AM Subject: Re: Opposed to VeriSign's proposed com/net Anti-Abuse Policy, due to lack of due process Just to followup, consider how poorly and broadly the language has been drafted defining "malware". --- begin definition ------ "Malware" means any programming (code, scripts, active content, or other computer instruction or set of computer instructions) designed, or is intended, to (a) block access to, prevent the use or accessibility of, or alter, destroy or inhibit the use of, a computer, computer program, computer operations, computer services or computer network, by authorized users; (b) adversely affect, interrupt or disable the operation, security, or integrity of a computer, computer program, computer operations, computer services or computer network; (c) falsely purport to perform a useful function but which actually perform a destructive or harmful function or perform no useful function but consume significant computer, telecommunications or memory resources; (d) gain unauthorized access to or use of a computer, computer program, computer operations, computer services or computer network; (e) alter, damage, destroy, monitor, collect or transmit information within a computer, computer program, computer operations, computer services or computer network without the authorization of the owner of the information; (f) usurp the normal operation of a computer, computer program, computer operations, computer services or computer network; or (g) other abusive behavior. Malware includes, without limitation, various forms of crimeware, dialers, disabling devices, dishonest adware, hijackware, scareware, slag code (logic bombs), rootkits, spyware, Trojan horses, viruses, web bugs, and worms." ----- end definition ------ Notice the words "other abusive behavior" in item "g" -- this means that the definition is open-ended, leaving the classification of "abuse" entirely at VeriSign's discretion. Furthermore, some of the itemized "abuse" is iffy, for example web bugs (final sentence) are used by MANY legitimate websites, but VeriSign defines them as malware: http://en.wikipedia.org/wiki/Web_bug Super-Persistent "cookies" (perhaps via flash) are also used by many sites, as are regular cookies. Do those "monitor" or "collect" information? (item "e") Certainly, so under VeriSign's definition, they could be considered "malware". While VeriSign's motivation is to reduce crime, it does so at the expense of due process. This is a Pandora's Box that shouldn't be opened without at least a broad public consultation with domain name registrants, so that the implications of it can be carefully examined. Sincerely, George Kirikos http://www.leap.com/ ----- Original Message ----- From: George Kirikos <gkirikos@yahoo.com> To: "registryservice@icann.org" <registryservice@icann.org> Cc: Sent: Monday, October 10, 2011 10:24 PM Subject: Opposed to VeriSign's proposed com/net Anti-Abuse Policy, due to lack of due process Hello, VeriSign has submitted an application to ICANN for an Anti-Abuse policy for com/net domain names: http://www.icann.org/en/registries/rsep/#2011008 We oppose that application, as it does not provide any due process to domain name registrants. VeriSign would become the judge, jury and executioner, able to suspend or delete domain names that are allegedly "abusive". VeriSign even recognizes that legitimate domain names will be affected. To attempt to mitigate these "false positives", VeriSign proposes that legitimate registrants would only be able to protest *after* VeriSign has already taken action. Such action would have already damaged the innocent registrants and their users. This is counter to the domain name registrants' rights to due process. Instead, VeriSign should be compelled to prove the alleged abuse in an appropriate legal forum (e.g. a court), where the registrants can face their accuser, before being allowed to suspend or delete a domain name. If ICANN is going to permit this policy to go forward without due process changes, VeriSign should be required to carry liability insurance in the amount of $100 million for each act of suspension/deletion. This would allow registrants to recover financially in the event that VeriSign is found guilty of suspending/deleting a domain name that was not in fact "abusive." Sincerely, George Kirikos http://www.leap.com/